Cybercrime is a concern, so is overregulation: CERT-In guidelines impose an impractical reporting burden on businesses


By Anvitii Rai

The Computer Emergency Response Team India (CERT-In) guidelines, ostensibly aimed at preventing cybersecurity breaches, have already caused a stir. Due to come into force from the end of June, these oblige providers of virtual private network (VPN) services as well as virtual assets (such as cryptocurrency) to retain users’ personal data for five years. and to turn them over to the government when requested, or face punitive action. Virtual asset providers will be required to retain Know Your Customer (KYC) details for the same period. It is not difficult to see why these regulations are excessive and unrealistic. The government and some experts remain of the view that these regulations will help strengthen the legal framework needed to fight cybercrime. Union Electronics and IT Minister Ashwini Vaishnaw said the regulations should not raise privacy concerns. “Suppose someone takes a mask and shoots, wouldn’t you ask him to remove that mask? That’s how it is,” he told The Indian Express. Notwithstanding the minister’s claim, there are several gaping holes in the rules.

For example, according to CERT-In, 212,485 cybercrime incidents were reported in the first two months of 2022, an average of around 3,600 cases per day. If all incidents are to be reported within six hours, CERT-In would need massive infrastructure capacity to handle such an overwhelming number of cases. The mechanism for dealing with such incidents is long and cumbersome, requiring form filling, assessment, triage and team appointment if necessary. If the new system is implemented, the agency, which already struggles with poor investigative infrastructure and capacity, will be bogged down, especially since the global standard for reporting time is 72 hours. Instead, one could look to the United States, which very recently signed its Better Cybercrimes Metrics Act which designates local legal agencies to collect and report cybercrime data. In the Indian case, it is unclear whether cases will be delegated to subordinate CERTs. US law also requires categorization of reported cybercrimes, which Indian experts also consider a requirement. Cybercrimes are of several different types; thus, one size does not make sense.

The other contentious part of the legislation requires providers of virtual assets and services to keep logs of user information, as this is a direct violation of the privacy of individual users. The rules require a number of details which include personal identifiers; service providers are required to store not only email id and IP addresses, but also the name, validated address and contact details of their customers, as well as timestamps. The whole point of a VPN, for example, is the anonymity and encryption of data to facilitate the secure transfer of information. The Center itself is no stranger to this; it has mandated IT companies to use VPNs to transfer data in 2020. So asking VPN providers, some of whom don’t even have the technical means to comply with the directive, to keep an information log contradicts their sole purpose. This has led several companies to express their intention to exit the market.

Regulation is a necessity, but over-regulation is certainly not the solution. It should be noted that no public consultation was held by CERT-In prior to the drafting or publication of these regulations which seek to impose an onerous and impractical reporting burden on companies. A good step would be to make a fresh start and work with cybersecurity and vulnerability experts as well as industry insiders to draft a comprehensive, lean but effective policy framework.

Source link


About Author

Comments are closed.